The Federal Financial Institutions Examination Council (FFIEC) has issued the attached guidance to help institutions identify and implement appropriate risk-management practices when using "free and open source software" (FOSS).

Highlights:

FOSS refers to software that users are allowed to run, study, modify and redistribute without paying a licensing fee. Well-known examples are the Linux operating system, Apache Web server and mySQL database.

The use of FOSS is increasing in the mainstream information technology and financial services communities.

The federal regulatory agencies believe that using FOSS does not impose risks to institutions that are fundamentally different from risks presented by proprietary or self-developed software. However, acquiring and using FOSS necessitates that institutions implement unique risk-management practices.

This guidance supplements the FFIEC IT Examination Handbook's Development and Acquisition Booklet by addressing strategic, operational and legal risk considerations in acquiring and using FOSS.